W32/Virut-Gen

    Category: Viruses and SpywareProtection available since:24 Nov 2007 01:12:07 (GMT)
    Type: Win32 wormLast Updated:13 Aug 2013 08:58:05 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    Summary

    W32/Virut-Gen is a virus for the Windows platform.

    Detailed analysis

    Example behaviours of W32/Virut-Gen follow:

    Example 1

    File Information

    Size
    690K
    SHA-1
    5033aa15a65c3fc72acfe603e8e6e998a6647d3c
    MD5
    103b8c2753937ff61a0191c3764f058b
    CRC-32
    d55fa3ce
    File type
    application/x-ms-dos-executable
    First seen
    2010-08-28

    Runtime Analysis

    Copies Itself To
    • C:\WINDOWS\regsvr.exe
    • C:\WINDOWS\system32\regsvr.exe
    • C:\WINDOWS\system32\svchost .exe
    Dropped Files
    • C:\WINDOWS\system32\setup.ini
    • C:\WINDOWS\system32\28463\svchost.exe
    • C:\WINDOWS\system32\28463\svchost.001
    Registry Keys Created
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      NofolderOptions
      0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
      GlobalUserOffline
      0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Msn Messsenger
      C:\WINDOWS\system32\regsvr.exe
    • HKLM\SYSTEM\CurrentControlSet\Services\Schedule
      AtTaskMaxHours
      0x00000000
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      svchost Agent
      C:\WINDOWS\system32\28463\svchost.exe
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
      DisableTaskMgr
      0x00000000
    Registry Keys Modified
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      Shell
      Explorer.exe regsvr.exe
    Processes Created
    • c:\windows\system32\28463\svchost.exe
    • c:\windows\system32\at.exe
    • c:\windows\system32\cmd.exe
    HTTP Requests
    • http://www.yahoo.com/setting.doc
    • http://www.yahoo.com/setting.xls
    • http://yahoo.com/setting.doc
    • http://yahoo.com/setting.xls
    DNS Requests
    • www.yahoo.com
    • yahoo.com

    Example 2

    Runtime Analysis

    Modified Files
    • %SYSTEM%\cisvc.exe
      • Changed the file contents
    • %SYSTEM%\clipsrv.exe
      • Changed the file contents
    • %SYSTEM%\logonui.exe
      • Changed the file contents
    • %SYSTEM%\vssvc.exe
      • Changed the file contents
    • %SYSTEM%\ie4uinit.exe
      • Changed the file contents
    • %SYSTEM%\rsvp.exe
      • Changed the file contents
    • %SYSTEM%\spoolsv.exe
      • Changed the file contents
    • %SYSTEM%\wbem\wmiapsrv.exe
      • Changed the file contents
    • %SYSTEM%\cmdminimentor.exe
      • Changed the file contents
    • %SYSTEM%\shmgrate.exe
      • Changed the file contents
    • %SYSTEM%\scminimentor.exe
      • Changed the file contents
    • %SYSTEM%\scardsvr.exe
      • Changed the file contents
    • %SYSTEM%\userinit.exe
      • Changed the file contents
    • %PROGRAM FILES%\Messenger\msmsgs.exe
      • Changed the file contents
    • %WINDOWS%\inf\unregmp2.exe
      • Changed the file contents
    • %SYSTEM%\msiexec.exe
      • Changed the file contents
    • %SYSTEM%\smlogsvc.exe
      • Changed the file contents
    • %SYSTEM%\dmadmin.exe
      • Changed the file contents
    • %SYSTEM%\locator.exe
      • Changed the file contents
    • %SYSTEM%\IME\TINTLGNT\TINTSETP.EXE
      • Changed the file contents
    • %SYSTEM%\rdpclip.exe
      • Changed the file contents
    • %SYSTEM%\imapi.exe
      • Changed the file contents
    • %SYSTEM%\mnmsrvc.exe
      • Changed the file contents
    • %PROGRAM FILES%\Outlook Express\setup50.exe
      • Changed the file contents
    • %WINDOWS%\network diagnostic\xpnetdiag.exe
      • Changed the file contents
    • %SYSTEM%\ups.exe
      • Changed the file contents
    • %SYSTEM%\msdtc.exe
      • Changed the file contents
    • %SYSTEM%\ntsd.exe
      • Changed the file contents
    • %SYSTEM%\sc.exe
      • Changed the file contents
    • %WINDOWS%\ime\imjp8_1\imjpmig.exe
      • Changed the file contents
    • %SYSTEM%\sessmgr.exe
      • Changed the file contents
    • %SYSTEM%\IME\PINTLGNT\IMSCINST.EXE
      • Changed the file contents
    • %SYSTEM%\dllhost.exe
      • Changed the file contents
    Registry Keys Modified
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
      SavedLegacySettings
      3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
      History
      C:\Documents and Settings\support\Local Settings\History
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
      SavedLegacySettings
      3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
      Cache
      C:\Documents and Settings\support\Local Settings\Temporary Internet Files
    DNS Requests
    • proxima.ircgalaxy.pl

    Example 3

    Other vendor detection

    Kaspersky
    Virus.Win32.Virut.ca

    Runtime Analysis

    Copies Itself To
    • C:\WINDOWS\regsvr.exe
    • C:\WINDOWS\system32\regsvr.exe
    • C:\WINDOWS\system32\svchost .exe
    Dropped Files
    • C:\WINDOWS\system32\setup.ini
    • C:\WINDOWS\system32\28463\svchost.exe
    • C:\WINDOWS\system32\28463\svchost.001
    Registry Keys Created
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      NofolderOptions
      0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
      shared
      \New Folder .exe
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Msn Messsenger
      C:\WINDOWS\system32\regsvr.exe
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
      GlobalUserOffline
      0x00000000
    • HKLM\SYSTEM\CurrentControlSet\Services\Schedule
      AtTaskMaxHours
      0x00000000
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      svchost Agent
      C:\WINDOWS\system32\28463\svchost.exe
    Registry Keys Modified
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      Shell
      Explorer.exe regsvr.exe
    Processes Created
    • c:\windows\system32\28463\svchost.exe
    • c:\windows\system32\at.exe
    • c:\windows\system32\cmd.exe
    HTTP Requests
    • http://www.yahoo.com/setting.doc
    • http://www.yahoo.com/setting.xls
    • http://yahoo.com/setting.doc
    • http://yahoo.com/setting.xls
    DNS Requests
    • www.yahoo.com
    • yahoo.com

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection